Skip to main content

Do weak passwords keep you awake at night?

In September – as you probably read - a group of hobbyist hackers announced they had cracked 11.2 million user passwords from the troubled dating website Ashley Madison. Adding insult to injury, the group, called Cynosure Prime went on to publish the top 100 passwords (opens in new tab).

Revealing themselves as technologically inept, as well as morally questionable, passwords included “123456” in the top spot, followed by “12345” and “password.” I don’t think that even more obscure ones such as “secret” and “affair” would give your average hacker sleepless nights.

It was the same story a few years ago, when anti hacking software company Imperva analysed 32 million passwords that had been stolen by an unknown hacker from RockYou, a company that makes social media software. They found that over one per cent of the 32 million people had used “123456” – others in the top 20 included “12345,” “abc123,” and “qwerty.” Despite knowing about the dangers – cyber crime is one of the fastest growing crimes globally – I think people are still pretty blasé about their security.

People use passwords that are easy to remember. And they will use that password over and over again, for personal and work use. And it is this that causes you – the employer, the IT manager – a massive security headache. When an employee hands out a business card with their email address, they are effectively giving away their user name. For a hacker with time on his hands, he might start with a “dictionary attack” – literally sitting down and guessing what the password might be. They often succeed because people tend to use short passwords that are commonly used.

Brute force hacks are another commonly used tactic. You might have heard that a computer cluster has recently been unveiled that can process as many as 350 billion guesses a second – it can try every possible Windows password in the typical enterprise in under six hours.

More than 75 per cent of hacks involve weak or stolen passwords. In a 2014 security report, it was discovered that five out of six large enterprises had been targeted by advanced attackers, a 40 per cent uplift on the year before. It’s not just big companies – 31 per cent of total attacks were directed at SMEs. So if you haven’t been hacked yet, it might just be a matter of time.

Although you might well protect your organisation’s systems with more than just a password (companies often use two-factor authentication tokens which can also be hacked) many still do rely solely on user-generated passwords to secure company systems. So for many organisations, the fact that you are only as secure as your users’ weakest password is painfully true.

Helping to secure log ins, particularly for remote workers, can be the first step in trying to make company boundaries impenetrable. And software like multi factor authentication is a no brainer, particularly if there is a remote working policy in place. It uses a number of variables to validate a user’s identity, like their connection, their geographic location or time of day. Each time a user logs in, a one-time-passcode is generated in real time and sent to their mobile, making it night on impossible for hackers to circumvent.

In a world where passwords can be as pathetically weak as “12345” and hacking strategies are becoming increasingly sophisticated, organisations need to be doing as much as possible to deter cyber threats.

Torben Andersen, COO at SMS PASSCODE (opens in new tab)

Image Credit: Shutterstock/ Ditty_about_summer